b'                      Testimony of Kathleen S. Tighe, Inspector General\n                                  U.S. Department of Education\n                                             Before the\n                       Committee on Oversight and Government Reform\n                                  U.S. House of Representatives\n                                           March 5, 2013\n\n\n\nChairman Issa, Ranking Member Cummings, and members of the Committee, I am pleased to be\n\nhere today to discuss opportunities to reduce waste and improve efficiency at the\n\nU.S. Department of Education (Department). As requested, I am focusing my testimony on the\n\nissue of audit resolution and recommendations made in Office of Inspector General (OIG)\n\nreports that the Department has not yet implemented. I want to thank the Committee for its work\n\nin highlighting the issue of unimplemented OIG recommendations over the last several years and\n\nfor holding this hearing to further shine a spotlight on an issue that is such a vital part of good\n\ngovernment.\n\n\n\nAs you know, the mission of my office is to promote effectiveness, efficiency, and integrity in\n\nDepartmental programs and operations. We do this by conducting independent audits,\n\ninspections, investigations, and other reviews. When we identify problems or weaknesses, we\n\nmake recommendations on actions the Department should take to correct those weaknesses or fix\n\nthose problems. The goal of our work is not simply to identify problems, but also to encourage\n\nimprovements and corrective actions. That is what audit resolution and followup are all about.\n\nThey are important mechanisms for helping management improve the performance of the\n\nDepartment and its programs. For the purposes of this testimony, we use \xe2\x80\x9caudit resolution and\n\n\n\n\n                                                  1\n\x0cfollowup\xe2\x80\x9d to refer to the Department\xe2\x80\x99s activities in response to formal recommendations in OIG\n\naudits, inspections, and other reviews. 1\n\n\n\nUnimplemented recommendations are a by-product of ineffective audit resolution and followup\n\nprocesses, which hamper an agency\xe2\x80\x99s ability to increase program and operational efficiency and\n\nprevent waste. Since 2002, we have issued six audit reports related to audit resolution and\n\nfollowup. We have also produced five letters for this Committee since 2007 on\n\nrecommendations made in OIG audit reports that the Department had not yet implemented. Our\n\nmost recent letter, provided to the Committee in December 2012, focused on high-priority short-\n\nterm and long-term recommendations that the Department has not yet implemented.\n\n\n\nToday, I will discuss information on the Department\xe2\x80\x99s audit resolution and followup processes,\n\nthe challenges it faces, and the findings of our recent work involving audit resolution and\n\nfollowup. I will also discuss the information included in our December 2012 letter to this\n\nCommittee.\n\n\n\nBackground on the Department\xe2\x80\x99s Audit Resolution and Followup Processes\n\n\nThe Office of Management and Budget (OMB) Circular A-50, \xe2\x80\x9cAudit Followup,\xe2\x80\x9d issued in\n\n1982, provides the policies and procedures for use by executive agencies when considering audit\n\nreports, such as those the OIG issues. It requires agencies to establish systems to ensure the\n\nprompt and proper resolution and implementation of audit recommendations and provides that\n\n\n\n1\n The Department is also responsible for resolving recommendations in other products related to Department\nprograms and operations, including those issued by the Government Accountability Office and by non-Federal\nauditors (such as independent public accountants and State auditors).\n\n                                                       2\n\x0cagency heads are responsible for designating a top management official to oversee audit\n\nfollowup, including resolution and corrective actions. At the Department, the Chief Financial\n\nOfficer is the designated Audit Followup Official and is charged with the timely resolution of\n\naudit reports and ensuring that appropriate corrective actions have been taken on agreed-upon\n\naudit recommendations. OMB Circular A-50 requires agencies to resolve audits within 6 months\n\nof issuance. It also requires OIG to review and generally agree with the Department\xe2\x80\x99s proposed\n\ncorrective action on recommendations made in an audit report before the audit can be considered\n\nresolved.\n\n\n\nThere are generally two types of OIG audits\xe2\x80\x94internal and external. Internal audits identify\n\ndeficiencies and recommend improvements in Department operations and programs to ensure\n\nthat the Department is using Federal education funds effectively and efficiently and\n\naccomplishing program goals. External audits are of external entities that receive funding\n\nfrom the Department, such as State educational agencies (SEAs), local educational agencies\n\n(LEAs), institutions of higher education, contractors, and nonprofit organizations. External\n\nOIG audit reports generally include recommendations for Department management to require\n\nthe external entity to take corrective action. These recommendations may be monetary, which\n\nrecommend that the entity return funds to the Department, or nonmonetary, which recommend\n\nthat the entity improve operations or internal controls.\n\n\n\nThe audit resolution process begins with the issuance of a final audit report. An internal audit is\n\ngenerally considered resolved when the Department and OIG agree on a corrective action plan\n\nfor each recommendation. An external audit is considered resolved when the Department issues\n\n\n\n                                                 3\n\x0ca program determination letter on the audit report to the external entity, which is agreed to by\n\nOIG. Upon resolution, the Department is responsible for ensuring that the corrective actions are\n\nactually taken. When the corrective actions for a recommendation have been implemented, the\n\nrecommendation is considered completed. An audit is considered closed when the Department\n\nensures that all corrective actions have been implemented, including that funds are repaid or\n\nsettlement made. 2\n\n\n\nChallenges in Audit Resolution and Followup\n\n\nAs mentioned previously, since 2002, we have issued six audit reports on the Department\xe2\x80\x99s audit\n\nresolution and followup processes, most recently in 2012. These reports have noted\n\nlongstanding challenges in these areas, including the following:\n\n\n\n     \xe2\x80\xa2    Untimely resolution of audits, particularly external audits, that has (1) impacted the\n          potential recovery of funds due to the statute of limitations 3 applicable to monetary\n          recommendations made in audits of entities (such as SEAs and LEAs) and (2) delayed\n          corrective actions by auditees. Specifically, our 2012 audit of the Department\xe2\x80\x99s\n          resolution process for OIG external audits found the following:\n\n\n\n\n2\n As required by the Inspector General Act of 1978, as amended, the OIG provides information in its Semiannual\nReports to Congress on audit reports issued, audit reports that are not yet resolved, and audit reports that have been\nresolved but for which corrective actions have not been implemented for at least a year after issuance of the final\naudit report.\n3\n  The General Education Provisions Act (GEPA) establishes a statute of limitations for programs administered by\nthe Department, including SEA and LEA recipients. The Department cannot seek recovery of funds that were spent\nmore than 5 years before an auditee receives a program determination letter. The funds recovered must also be\nproportional to the extent of harm to the Federal interest that the violation caused. Examples of Federal interest\ninclude serving eligible beneficiaries, providing authorized services, and complying with expenditure requirements.\nGEPA does not apply to programs authorized under the Higher Education Act of 1965.\n\n                                                           4\n\x0c            o 90 percent of the OIG audits with final report issuance dates from January 1,\n               2007, through December 31, 2010, had not been resolved within OMB\xe2\x80\x99s 6-month\n               deadline.\n\n                   \xef\x82\xa7   53 of these audits were overdue for resolution by an average of 1,078 days\n                       and included questioned costs that totaled $568 million.\n\n                   \xef\x82\xa7   Due to the running of the statute of limitations, the Department lost the\n                       opportunity to recover $415 million of these costs.\n\n            o Two years later (January 17, 2012), 42 percent of the audits were still unresolved.\n\n            o The percentage of external OIG audits not resolved timely increased during each\n               calendar year from 2007 through 2010.\n\n    \xe2\x80\xa2   Ineffective internal controls over audit resolution and followup, such as the failure to\n        ensure compliance with OMB Circular A-50.\n\n\n    \xe2\x80\xa2   A lack of the following: staff to conduct resolution activities, training so that staff had\n        sufficient knowledge to effectively conduct resolution activity, organizational priority\n        placed on audit resolution activities, and overall accountability.\n\n\n\nAnother challenge for the Department is repeat findings, which are far too common, particularly\n\nin our information technology security work and in our financial statement audit work. Repeat\n\nfindings are deficiencies that have been identified in previous work and remain unaddressed and\n\nthus are again identified in subsequent work. The following are examples of some of our repeat\n\nfindings:\n\n\n\n   \xe2\x80\xa2    In our FY 2012 Federal Information Security Management Act review, we found that 6\n        of the 11 security control areas we reviewed\xe2\x80\x94risk management, configuration\n        management, remote access management, identity and access management, security\n\n                                                 5\n\x0c        training, and contingency planning\xe2\x80\x94contained repeat findings from OIG and contractor\n        reports issued during the prior 3 years.\n\n\n    \xe2\x80\xa2   Since 2009, audits of the Department\xe2\x80\x99s and the Federal Student Aid office\xe2\x80\x99s (FSA)\n        financial statements by OIG\xe2\x80\x99s independent financial auditors found significant repeat\n        deficiencies relating to credit reform estimation and financial reporting processes and\n        controls surrounding information systems.\n\n\n\nImproved processes and an increased emphasis on the timely implementation of corrective\n\nactions can help significantly reduce the occurrence of repeat findings.\n\n\n\nRecent Department Actions to Address Audit Resolution and Followup\n\n\nDuring our 2012 audit of the Department\xe2\x80\x99s external audit resolution processes, we found that one\n\noffice within the Department had developed an internal action plan that was intended to improve\n\nits overall audit resolution process. The action plan included elements such as a quality\n\nassessment tool designed to improve the audit resolution specialists\xe2\x80\x99 ability to prepare quality\n\nresolution documentation, a tracking tool to monitor the status of audits throughout the resolution\n\nprocess, additional training for audit resolution specialists, an internal Web site to make audit\n\nresolution resources and tools readily available to audit resolution specialists, and hiring\n\nadditional staff to perform audit resolution activities. If implemented throughout the\n\nDepartment, we believe these changes could decrease the volume of audits overdue for\n\nresolution and improve the overall timeliness of resolution activities for external OIG audits.\n\n\n\nIn response to the findings of the 2012 audit, the Department proposed a series of short-term\n\nactions to address many of the specific recommendations in the report. In addition, the Deputy\n\n                                                   6\n\x0cSecretary has established a cross-agency team to review the audit resolution process. Members\n\nof this team agreed that the first critical business task would be focusing on resolving all overdue\n\nOIG external audits. As of February 1, 2013, the Department reported that the team is on track\n\nto resolve these audits by May 31, 2013. Department leaders have asked my office to participate\n\nin an advisory capacity on this team, and we have agreed to do so. We will be monitoring the\n\nDepartment\xe2\x80\x99s progress and will evaluate the effectiveness of the Department\xe2\x80\x99s improved audit\n\nfollowup process and corrective actions to address audit recommendations.\n\n\n\nSummary of December 2012 Letter to the Committee\n\n\n\nIn December 2012, the Committee on Oversight and Government Reform requested information\n\nfrom OIG related to our work plan process and high-priority recommendations. We told the\n\nCommittee the major initiatives in our work plan that we intend to undertake this year. We also\n\nidentified short-term and long-term recommendations that, if fully implemented, will address\n\nweaknesses or deficiencies in Departmental programs and operations. Our recommendations\n\naffect key areas important to the Department\xe2\x80\x99s ability to effectively achieve its mission: Federal\n\nstudent aid, improper payments, information technology security, and charter schools as follows:\n\n\n\n       Federal Student Aid\xe2\x80\x94Fraud Rings\n\n\n       In 2011, we issued a report that brought to the Department\xe2\x80\x99s attention a serious fraud\n\n       vulnerability in distance education programs: \xe2\x80\x9cfraud rings,\xe2\x80\x9d which are large, loosely\n\n       affiliated groups of criminals who seek to exploit distance education programs in order to\n\n       fraudulently obtain Federal student aid. Because all aspects of distance education take\n\n       place through the Internet (admission, student aid, course instruction), students are not\n\n                                                 7\n\x0c           required to present themselves in person at any point and institutions are not required to\n\n           verify prospective and enrolled students\xe2\x80\x99 identities; thus, fraud ringleaders are able to use\n\n           the identities of others (with or without their consent) to target distance education\n\n           programs. Fraud rings mainly target lower cost institutions, because the Federal student\n\n           aid awards are sufficient to pay institutional charges (such as tuition), and the student\n\n           receives the award balance to use for other educational expenses, such as books, room\n\n           and board, and commuting. Our report offered nine specific recommended actions for\n\n           the Department to take to address this fraud. Although the Department agreed to all of\n\n           these recommendations, most have not yet been implemented.\n\n\n\n           In January 2013, we provided the Department the results of our risk analysis related to\n\n           student aid fraud rings, which for the time period 2009 to 2012, estimated a probable loss\n\n           of more than $187 million in Federal student aid funds as a result of these criminal\n\n           enterprises. 4\n\n                     Short-Term Recommendation: Seek a statutory change to the cost of\n\n                     attendance calculation for students enrolled in distance education programs under\n\n                     the Higher Education Act of 1965 to limit the allowance for room and board and\n\n                     other costs that distance education program participants do not incur as a result of\n\n                     their studies.\n\n                     Long-Term Recommendation: Establish edits in the Department\xe2\x80\x99s student aid\n\n                     systems, such as verification of an applicant\xe2\x80\x99s identity and high school graduation\n\n                     status, and to flag potential fraud ring participants and implement controls in the\n\n                     Department\xe2\x80\x99s Personal Identification Number delivery system.\n4\n    During this time period, $509.9 billion in Title IV aid was distributed.\n\n                                                              8\n\x0cFederal Student Aid\xe2\x80\x94Default Management\n\n\nIn 2012, we issued an alert report that identified significant problems with FSA\xe2\x80\x99s process\n\nfor managing defaulted student loans. Specifically, we found that the Debt Management\n\nCollection System 2 (DMCS2) was unable to accept transfer of certain defaulted student\n\nloans from FSA\xe2\x80\x99s loan servicers. Since DMCS2 was implemented in October 2011, the\n\nTitle IV Additional Servicers and ACS Education Solutions, LLC, have accumulated\n\nmore than $1.1 billion in defaulted student loans that should be transferred to the\n\nDepartment for management and collection. DMCS2 has been unable to accept transfer\n\nof these loans and, as a result, the Department is hampered in pursuing collection\n\nremedies and borrowers are unable to take steps to remove their loans from default status.\n\nThe inability of DMCS2 to accept these transfers also contributed to a material weakness\n\nin internal control over financial reporting that was identified in FSA\xe2\x80\x99s Fiscal Year 2012\n\nfinancial statement audit. Based on our interaction with FSA officials to date, FSA has\n\nyet to implement effective corrective action to bring these affected loans into collection\n\nand to correct the problems with DMCS2.\n\n       Short-Term Recommendation: Identify problems related to DMCS2 loan\n\n       transfers, the source of each problem, and the entire population of loans adversely\n\n       affected and establish dates for resolving the cause of each identified problem\n\n       related to DMCS2 loan transfers.\n\n\n\n\n                                          9\n\x0c                  Long-Term Recommendation: Determine whether DMCS2 can become a fully\n\n                  operational system that will meet all of the baseline functional system\n\n                  requirements.\n\n\n\n         Information Technology Security\n\n\n         The Department collects, processes, and stores a large amount of personally identifiable\n\n         information regarding employees, students, and other program participants. OIG has\n\n         identified repeated problems in information technology security and noted increasing\n\n         threats and vulnerabilities to Department systems and data. OIG\xe2\x80\x99s information\n\n         technology audits and other reviews have identified management, operational, and\n\n         technical security controls that need improvement to adequately protect the\n\n         confidentiality, integrity, and availability of Department systems and data.\n\n         We have repeatedly recommended that the Department strengthen its controls and\n\n         develop monitoring capabilities designed to help safeguard Department systems and data\n\n         from unauthorized access, misuse, and fraud. Further, since 2009, audits of the\n\n         Department\xe2\x80\x99s and FSA\xe2\x80\x99s financial statements by OIG\xe2\x80\x99s independent financial auditors\n\n         found significant repeat deficiencies involving controls over information technology\n\n         security. In addition, our work has found that Department privileged accounts have been\n\n         compromised by keylogger 5 software that could have been used to infect and even extract\n\n         data from Department systems. Based on the Department\xe2\x80\x99s flawed mitigation process,\n\n\n\n5\n Keylogging is the action of tracking the keys struck on a keyboard. Keylogger software logs and monitors all\nactivities on the computer where it is installed. Criminals typically use keyloggers to capture user identification and\npassword of unwitting individuals for various fraudulent purposes.\n\n\n\n                                                          10\n\x0cwe have little assurance as to whether sensitive data has been exfiltrated by unauthorized\n\nindividuals from Department systems.\n\n       Short-Term Recommendation: We have recommended that the Department\n\n       implement two-factor authentication\xe2\x80\x94a key safeguard against keylogger usage\xe2\x80\x94\n\n       for all users with access to Departmental systems. Although the Department has\n\n       made progress on implementing two-factor authentication for Department\n\n       employees, it has not yet done so for all contractors and other authorized users.\n\n       Long-Term Recommendation: The Department and FSA must determine why\n\n       information technology initiatives are not effectively implemented and managed\n\n       to ensure successful system integration, system and data security, and\n\n       identification and mitigation of fraudulent activity.\n\n\n\nImproper Payments\n\n\nIn FY 2011, the OMB designated the Federal Pell Grant program a \xe2\x80\x9chigh-priority\xe2\x80\x9d\n\nprogram because the FY 2010 Pell improper payments estimate of $1,005 million (a rate\n\nof 3.12 percent) exceeded the OMB threshold of $750 million. As required with this\n\ndesignation, the Department coordinated with OMB to establish and execute a plan to\n\nimplement high-priority program requirements, including designating accountable\n\nofficials and establishing supplemental measures to report. As a result of the Department\n\nexecuting its plan, the FY 2011 Pell Grant improper payment rate fell to 2.72 percent,\n\nwith estimated improper payments of $993 million. The FY 2012 improper payment rate\n\nalso fell, dropping to 2.49 percent, with estimated improper payments of $829 million.\n\nAlthough the Department is making progress, it can do more. In 2010, the Department\n\n\n                                         11\n\x0cimplemented the Internal Revenue Service Data Retrieval Tool (IRS DRT), which allows\n\nFederal student aid applicants and, as needed, parents of applicants, to transfer certain tax\n\nreturn information from an IRS Web site directly to their online Free Application for\n\nFederal Student Aid (FAFSA). However, only 26 percent of all FAFSAs submitted for\n\nthe 2012\xe2\x80\x932013 academic year used the IRS DRT. Use of the tool is optional, so people\n\nintent on defrauding the program by providing false income information likely would not\n\nselect the IRS option. Because the IRS DRT is not mandatory, institutions retain the\n\nburden of verifying an applicant\xe2\x80\x99s income.\n\n       Short-Term Recommendation: Study Pell Grant program recipients who do not\n\n       use the IRS DRT and who are not selected for verification to determine whether\n\n       the Department has adequate controls in place or needs to implement additional\n\n       controls to mitigate the risk of improper payments to this population of Pell Grant\n\n       recipients.\n\n       Long-Term Recommendation: Since 1997, we have recommended\n\n       implementation of an IRS income data match that would allow the Department to\n\n       match the information provided on FAFSAs with the income data the IRS\n\n       maintains. While the Higher Education Act of 1965 has been amended to reflect\n\n       this requirement, the Internal Revenue Code has not been similarly amended.\n\n       Amending the Internal Revenue Code to permit this match could help identify\n\n       income inconsistencies and eliminate an area of fraud and abuse within the\n\n       student financial assistance programs.\n\n\n\n\n                                         12\n\x0cCharter Schools\n\n\nCharter schools are nonsectarian, publicly funded schools of choice exempt from certain\n\nState and local regulations. In return for reduced governmental regulation, charter\n\nschools agree to be held accountable for their academic and financial performance. A\n\ntotal of 42 States and the District of Columbia have enacted laws allowing the\n\nestablishment of charter schools, and the laws differ from State to State. State charter\n\nschool laws assign authorizers to approve charter school applications, oversee and ensure\n\ncompliance, review and renew contracts, and close charter schools. State charter school\n\nlaws allow for various types of authorizers, which can include institutions of higher\n\neducation, independent chartering boards, school districts or LEAs, and not-for-profit\n\norganizations. OIG has conducted a significant amount of investigative work involving\n\ncharter schools. These investigations have found that authorizers often fail to provide\n\nadequate oversight to ensure that charter schools properly use and account for Federal\n\nfunds. Further, in September 2012, we completed an audit of the Department\xe2\x80\x99s oversight\n\nand monitoring of the Charter Schools Program\xe2\x80\x99s SEA and non-SEA Planning and\n\nImplementation Grants. We determined that the Department did not effectively oversee\n\nand monitor the grants and did not have an adequate process to ensure SEAs effectively\n\noversaw and monitored their subgrantees.\n\n       Short-Term Recommendation: Develop and implement a risk-based approach\n\n       for selecting non-SEA grantees for monitoring activities.\n\n       Long-Term Recommendation: Provide necessary guidance and training to\n\n       SEAs on how to develop and implement procedures to ensure SEAs have\n\n\n\n\n                                         13\n\x0c               effective monitoring and fiscal controls for tracking the use of funds by charter\n\n               schools.\n\n\n\nConclusion\n\n\nOIG audits, inspections, investigations, and other reviews identify fraud, waste, and abuse;\n\nprovide information on the effectiveness of internal controls; and evaluate the appropriateness of\n\nFederal funds usage. The results of our work can serve as a tool for Department management in\n\nits daily operations, long-term strategic planning, and overall risk management. However, our\n\nwork is effective only if the Department implements timely corrective actions to address\n\nidentified deficiencies or weaknesses that hamper its ability to carry out its mission. We see that\n\nthe Department is planning to take steps to improve its audit resolution and followup processes,\n\nand we will closely monitor and report on its progress.\n\n\n\nOnce again, I want to thank the Committee for highlighting the issue of unimplemented OIG\n\nrecommendations and helping make audit resolution a priority for all Federal agencies. This\n\nconcludes my written statement. I am happy to answer any of your questions.\n\n\n\n\n                                                14\n\x0c'